Chrome Blink SpeechRecognitionController Use-After-Free

`Throughout November, I plan to release details on vulnerabilities I  
found in web-browsers which I've not released before. This is the  
seventeenth entry in that series. Unfortunately I won't be able to  
publish everything within one month at the current rate, so I may  
continue to publish these through December and January.  
  
The below information is available in more detail on my blog at  
http://blog.skylined.nl/20161123001.html. There you can find a repro  
that triggered this issue, snippets from the vulnerable source and more  
details in addition to the information below.  
  
Follow me on http://twitter.com/berendjanwever for daily browser bugs.  
  
Chrome blink SpeechRecognitionController use-after-free  
=======================================================  
(Chromium 455857, CVE-2015-1251)  
  
Synopsis  
--------  
A specially crafted web-page can cause the blink rendering engine used  
by Google Chrome and Chromium to continue to use a speech recognition  
API object after the memory block that contained the object has been  
freed. An attacker can force the code to read a pointer from the freed  
memory and use this to call a function, allowing arbitrary code execution.  
  
Known affected software and attack vectors  
------------------------------------------  
+ Google Chrome 39.0  
  
An attacker would need to get a target user to open a specially  
crafted webpage. Disabling Javascript should prevent an attacker from  
triggering the vulnerable code path.  
  
Description  
-----------  
Creating a `webkitSpeechRecognition` Javascript object in a popup window  
before closing the popup frees a C++ object used internally by the  
speech recognition API code but leaves a dangling pointer to the freed  
memory in another C++ object. When the `start()` Javascript method is  
called, this dangling pointer is used to try to read a function pointer  
from a virtual function table and call that function. An attacker has  
ample time to groom the heap between the free and re-use in order to  
control the function pointer used by the code, allowing arbitrary code  
execution.  
  
Exploit  
-------  
An attacker looking to exploit this issue is going to want to try and  
control the contents of the freed memory, before getting the code to use  
the dangling pointer to call a virtual function. Doing so would allow an  
attacker to execute arbitrary code. This is made possible because steps  
5 and 6 can both be triggered at a time of the attackers choosing,  
giving the attacker the ability to free the memory in step 5 whenever  
this is convenient and attempt to reallocate and fill it with any data  
before executing step 6. This should allow an attacker to create a fake  
`vftable` pointer and gain arbitrary code execution. In order to develop  
a working exploit, existing mitigations will need to be bypassed, most  
significantly ASLR and DEP. As this vulnerability by itself does not  
appear to allow bypassing these mitigations, I did not develop a working  
exploit for it.  
  
Time-line  
---------  
* November 2014: This vulnerability was found through fuzzing.  
* December 2014: This vulnerability was submitted to ZDI and iDefense.  
* January 2015: This vulnerability was acquired by ZDI.  
* February 2015: This vulnerability was fixed in revision 190993.  
* May 2015: This vulnerability was addressed by Google in  
Chrome 43.0.2357.65.  
* November 2016: Details of this issue are released.  
  
Cheers,  
  
SkyLined  
  
  
Repro.html  
  
<html>  
<head>  
<script>  
oAWindow = window.open();  
oAWebkitASpeechARecognition = new oAWindow.webkitASpeechARecognition();  
oAWindow.close();  
setAInterval(function(){  
if (oAWindow.closed) {  
oAWebkitASpeechARecognition.start();  
}  
}, 10);  
</script>  
</head>  
</html>  
  
`